Randomized encodings of functions can be used to replace a "complex" function f(x) by a "simpler" randomized mapping f(x;r) whose output distribution on an input x encodes the value of f(x) and hides any other information about x. One desirable feature of randomized encodings is low online complexity. That is, the goal is to obtain a randomized encoding / of / in which most of the output can be pre-computed and published before seeing the input x. When the input x is available, it remains to publish only a short string x, where the online complexity of computing x is independent of (and is typically much smaller than) the complexity of computing f. Yao's garbled circuit construction gives rise to such randomized encodings in which the online part x consists of n encryption keys of length k each, where n = |x| and k is a security parameter. Thus, the online rate |x|/|x| of this encoding is proportional to the security parameter k. In this paper, we show that the online rate can be dramatically improved. Specifically, we show how to encode any polynomial-time computable function f : {0,1}~n → {0, 1}~(m(n)) with online rate of 1+ o(1) and with nearly linear online computation. More concretely, the online part x consists of an n-bit string and a single encryption key. These constructions can be based on the decisional Diffie-Hellman assumption (DDH), the Learning with Errors assumption (LWE), or the RSA assumption. We also present a variant of this result which applies to arithmetic formulas, where the encoding only makes use of arithmetic operations, as well as several negative results which complement our positive results. Our positive results can lead to efficiency improvements in most contexts where randomized encodings of functions are used. We demonstrate this by presenting several concrete applications. These include protocols for secure multiparty computation and for non-interactive verifiable computation in the preprocessing model which achieve, for the first time, an optimal online communication complexity, as well as non-interactive zero-knowledge proofs which simultaneously minimize the online communication and the prover's online computation.
展开▼
机译:函数的随机编码可用于通过“更简单”的随机映射f(x; r)替换“复杂”函数f(x),其映射在输入x上的输出分布对f(x)的值进行编码并隐藏其他任何值有关x的信息。随机编码的一个理想特征是在线复杂度低。也就是说,目标是获得/的随机编码,其中大部分输出可以在看到输入x之前预先计算并发布。当输入x可用时,仅发布短字符串x即可,其中计算x的在线复杂度与计算f的复杂度无关(并且通常比计算f的复杂度小得多)。姚的乱码电路产生了这样的随机编码,其中在线部分x由每个长度为k的n个加密密钥组成,其中n = | x |。 k是安全参数。因此,在线率| x | / | x |编码的比例与安全参数k成正比。在本文中,我们表明可以大大提高在线率。具体来说,我们展示了如何以1+ o(1)的在线速率和几乎线性的在线方式对任何多项式时间可计算函数f进行编码:{0,1}〜n→{0,1}〜(m(n))计算。更具体地说,在线部分x由一个n位字符串和一个加密密钥组成。这些构造可以基于决策Diffie-Hellman假设(DDH),带错误学习的假设(LWE)或RSA假设。我们还提供了此结果的变体,该变体适用于算术公式,其中编码仅使用算术运算,以及一些与我们的肯定结果互补的否定结果。我们的积极成果可以在使用随机编码功能的大多数情况下提高效率。我们通过介绍几个具体的应用程序来证明这一点。这些协议包括用于安全多方计算和预处理模型中非交互式可验证计算的协议,该协议首次实现了最佳的在线通信复杂性,以及非交互式零知识证明,该协议同时最小化了在线通信和证明者的在线计算。
展开▼
